C Y B E R S E C U R I T Y
“In addition to protecting network
access, zero-trust architecture
enables IT to automate device
enrollment, which, depending on the
number of security devices being
introduced to the network, can be a
critical time saver. ”
Multilayer encryption. While most physical security devices
can encrypt data, IT security protocols take encryption to the next
level. Employing multiple encryption layers and multiple encryp-
tion keys makes it more diffi cult for malicious attackers to gain
access to the data stream. For example, MACsec encryption might
be used at layer two for services like DHCP, NTP and ARP while
HTTPS might be used at layer seven for API calls and WebGUI.
Certifi cate management. Many security devices employ certifi -
cates, digital documents that verify a device’s identity on the net-
work and mechanisms for encryption used to transmit its data.
However most physical security devices don’t support certifi cate
management protocols like EST (Enrollment over Secure Trans-
port) or SCEP (Simple Certifi cate Enrollment Protocol). These
protocols automate the process of installing and replacing de-
vice certifi cates. Since certifi cates are crucial for encryption and
authentication, it is unlikely that IT would approve devices that
require manual certifi cate management.
Zero-trust architecture. IT relies on zero-trust architecture
to minimize the radius of damage should a breach occur. This
entails micro-segmenting sensitive resources, using end-to-end
encryption, continuously monitoring user and device behavior
for anomalies, and implementing robust incident response and
recovery mechanisms. To support that goal, IT needs to be able
to verify the authenticity of physical security devices before au-
thorizing their access to the network.
In addition to protecting network access, zero-trust architec-
ture enables IT to automate device enrollment, which, depending
on the number of security devices being introduced to the net-
work, can be a critical time saver.
That is why IT wants security devices that can be onboarded
and provisioned automatically through secure network protocols.
For instance, devices that use device IDs or 802.1 AR can be load-
ed onto the network automatically, right out of the box. Once in-
stalled, the policy engine server on the network checks the device’s
ID and associated policies like which ports to open, and so forth.
So, the IT administrator doesn’t have to touch the device or
assign it an IP address or a VLAN. To simplify things further
while on a provisional VLAN device, IT can harden the security
device with management software.
Active directory and single sign-on. In physical security sys-
tems, administrators tend to manage user privileges in local ac-
counts. But in an enterprise environment, IT security protocols
require that network devices be managed more securely through a
2 0 centralized user rights management service like Active Directory.
To operate in this global enterprise domain, physical security
devices would need to support protocols like Oauth 2.0, an IT in-
dustry standard for authorization. This would allow the physical
security device to be managed more effi ciently, like how servers
and other IoT devices are managed on the IT network.
For instance, with Active Directory, HR could delete a resign-
ing security offi cer from the Active Directory, which would auto-
matically revoke their access privileges for all devices across the
entire network at once.
Working with Active Directory also allows security devices to
support Single sign-on, an authentication service that allows us-
ers to log in once to access multiple services without re-entering
their user ID and password. This also allows IT to activate more
secure authentication features like 2FA, or MFA on these devices,
adding another layer of network protection.
Lifecycle management. Because cybersecurity risks exist at ev-
ery stage of a device’s lifecycle, IT needs to be able to manage
the security of every device on the network from the time it is
onboarded until it is decommissioned and removed. IT will be
looking for security devices that support features like secure boot,
which ensures that the device is free of unauthorized software
modifi cations prior to connecting to the network.
They will also want to be able to batch process security tasks
like security patches, bug fi xes, and upgrades to device operat-
ing systems. In addition, IT will want devices that allow them to
easily manage device credentials, deploy certifi cates, disable un-
used services, and verify removal of outdated devices no longer
supported by their manufacturers, which, unless detached, could
become potential attack vectors.
Can these security protocols be retrofi tted to legacy physical
security devices? In most cases, the answer is no. One might be
able to retrofi t certifi cate management like EST or SCAP, but not
zero-trust features. Things like a device’s digital identities need
to be baked into the product at the start for it to be trusted. If
security device manufacturers plan to follow these more stringent
requirements, they’ll need to revamp their production process.
INVESTING IN CROSS-BREACH PREVENTION
As more stakeholders avail themselves of physical security metadata
for business intelligence and operational effi ciency, opportunities in-
crease for organizations to identify ways to improve their bottom line.
But using that data stream also increases the visibility of physical se-
curity devices, making them tempting targets for attackers to exploit.
Without IT-level security protocols on these devices, the poten-
tial for a breach into critical IT systems can escalate. On the other
hand, having these protocols in place not only helps prevent system
corruption and operation disruption, but it also
assures the integrity and authenticity of the data
being shared.
Wayne Dorris, CISSP, is the program manager
for cybersecurity for Axis Communications in the
Americas.
M A Y / J U N E 2 0 2 5 | S E C U R I T Y T O D A Y